RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-20 Thread Mike Cunningham 
I believe that newer wifi access points will be able to include location 
information to E911 services. 
http://www.arubanetworks.com/pdf/partners/SB_RedSky.pdf 
http://www.cisco.com/c/en/us/products/collateral/wireless/wireless-location-appliance/product_data_sheet0900aecd80293728.html
 
How many access point vendors are going to jump on board remains to be seen. 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mattson III, Ken V.
Sent: Tuesday, October 20, 2015 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

Thanks for the additional info.  We mainly were using it to compare against 
itself, especially the retransmissions. There were some telltale signs that we 
were having controller problems and a spike in retransmissions was a big one.

Kenneth V. Mattson III
Director - Network and Data
DoIT
Creighton University
402-280-2743
402-981-1140
 
A password is like a toothbrush:
Choose a good one, change it regularly and don't share it.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Earl Barfield
Sent: Monday, October 19, 2015 10:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

> Date:Fri, 16 Oct 2015 18:21:19 +
> From:"Mattson III, Ken V." <kenmatt...@creighton.edu>
> Subject: Re: Measuring RADIUS Auths
>
> I am pretty sure it is raw ("The number of RADIUS Access-Request packets sent 
> to this server. This does not include retransmissions.").
>
> 1.3.6.1.4.1.14179.2.5.3.1.8.3 is the retransmissions.
> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
> =Translate=bsnRadiusAuthClientAccessRetransmissions#oidCon
> tent
>
>
> Output from a snmpbulkwalk on one of our controllers:
> .1.3.6.1.4.1.14179.2.5.3.1.7.3 = Counter32: 93421076
> .1.3.6.1.4.1.14179.2.5.3.1.7.4 = Counter32: 0
> .1.3.6.1.4.1.14179.2.5.3.1.8.3 = Counter32: 31652
> .1.3.6.1.4.1.14179.2.5.3.1.8.4 = Counter32: 0

If you are doing EAP-PEAPv0/MS-CHAPv2 then there will be many (a dozen or so) 
Access-Request packets sent per user authorization occurrence.

The WiSM sends Access-Request (type 1) and the radius server answers
with Auth-Challenge (type 11).   This repeats back and forth many times
until the radius server finally answers the final Auth-Request with either an 
Auth-Accept (type 2) or Auth-Reject (type 3).


Just be clear what you're counting when comparing with other
institutions or you will be off by quite a bit.   Apples-to-apples, etc.







--
Earl Barfield -- Academic & Research Tech / Information Technology Georgia 
Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-20 Thread Mattson III, Ken V. 
Thanks for the additional info.  We mainly were using it to compare against 
itself, especially the retransmissions. There were some telltale signs that we 
were having controller problems and a spike in retransmissions was a big one.

Kenneth V. Mattson III
Director - Network and Data
DoIT
Creighton University
402-280-2743
402-981-1140
 
A password is like a toothbrush:
Choose a good one, change it regularly and don't share it.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Earl Barfield
Sent: Monday, October 19, 2015 10:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

> Date:Fri, 16 Oct 2015 18:21:19 +
> From:"Mattson III, Ken V." <kenmatt...@creighton.edu>
> Subject: Re: Measuring RADIUS Auths
>
> I am pretty sure it is raw ("The number of RADIUS Access-Request packets sent 
> to this server. This does not include retransmissions.").
>
> 1.3.6.1.4.1.14179.2.5.3.1.8.3 is the retransmissions.
> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en=Translate=bsnRadiusAuthClientAccessRetransmissions#oidContent
>
>
> Output from a snmpbulkwalk on one of our controllers:
> .1.3.6.1.4.1.14179.2.5.3.1.7.3 = Counter32: 93421076
> .1.3.6.1.4.1.14179.2.5.3.1.7.4 = Counter32: 0
> .1.3.6.1.4.1.14179.2.5.3.1.8.3 = Counter32: 31652
> .1.3.6.1.4.1.14179.2.5.3.1.8.4 = Counter32: 0

If you are doing EAP-PEAPv0/MS-CHAPv2 then there will be many (a dozen
or so) Access-Request packets sent per user authorization occurrence.

The WiSM sends Access-Request (type 1) and the radius server answers
with Auth-Challenge (type 11).   This repeats back and forth many times
until the radius server finally answers the final Auth-Request with
either an Auth-Accept (type 2) or Auth-Reject (type 3).


Just be clear what you're counting when comparing with other
institutions or you will be off by quite a bit.   Apples-to-apples, etc.







-- 
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-19 Thread Matthew Newton 
Hi Charles,

On Thu, Oct 15, 2015 at 09:08:33PM +, Charles Rumford wrote:
> I’m currently embarking on a project to determine the number of
> RADIUS auths per minute each one of my controllers is generating
> to plan for the capacity I need for my RADIUS servers.
> 
> I was curious if anyone has embarked on a similar journey and
> tried to measure auth rates coming from their controllers?

We feed our RADIUS logs into elasticsearch, which you can then
query with kibana to get nice graphs of pretty much whatever you
want from the logs, which of course includes requests, auth
success, failures per second/minute, hour etc. We have several
plots, one of which shows auths per sec for each controller in a
stacked graph, as well as controller SNMP traps for RADIUS errors
(so we can see when MSCHAP/Samba/AD is becoming overloaded...!).

I bundled the basic config for detail files into the FreeRADIUS
source:

  
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/doc/schemas/logstash

but that should work with any RADIUS server that writes out detail
logs.

The only downside to this approach as it stands is that it stores
complete logs, so you probably want to rotate them out after a few
months for privacy reasons, so you then lose the graphs. I've not
looked yet but it should be easy in logstash to output the stats
as well to graphite or similar to keep the basic counters around
for longer. But this "downside" is of course a great benefit when
you want to search for logs, as the result is nearly
instantaneous. 

(Also feeding FreeRADIUS auth logs, Wireless Controller TRAPS and
logs, and DHCP logs all in to the same elasticsearch index means
you can get an excellent view across all your wireless logs when
something goes wrong with a client.)

As you're using FreeRADIUS you can also use the "status" virtual
server to get stats out - see sites-available/status. You drive it
by feeding RADIUS packets into the server (e.g. with radclient) on
the status port and it responds with the data. Examples in the
server file. They can then be plotted with $GRAPHER_OF_CHOICE.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-19 Thread Matthew Newton 
Hi,

On Fri, Oct 16, 2015 at 11:11:21AM -0400, Walter Reynolds wrote:
> Since you mention in the thread that you have Cisco with Freeradius
> backend, I thought I would point out that if you are doing PEAP/MSChapv2
> that the bottleneck is winbind/samba and that it is based on auth's per
> second, not purely auth request that show up in total request.

If you're running FreeRADIUS 3.0.8 or later compiled against Samba
4.2.1 or later you can try code I wrote that skips ntlm_auth
entirely and talks to Samba directly from FreeRADIUS with one of
their libraries. It should help with this issue.

Fast SSD backed servers can also help. Memory doesn't matter much
in my experience, but ntlm_auth has a large startup cost and
winbind writes cache to disk for every auth.

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-19 Thread Charles Rumford 
I ended up SNMP polling my Aruba controllers for their stat information.

As I don’t run our RADIUS systems, getting comparable stats from them is a bit 
challanging. The RADIUS server stats I have access to are in number of 
requests, where the Aruba MIB offers stats by complete auth.

You can see the results of the collection at [0], and if you are interest, the 
code is at [1].

[0] - http://drahtlos.dccs.upenn.edu/localhost/localhost/index.html#wireless
[1] - 
https://bitbucket.org/TallWireless/randomscripts/src/096bc66f00d1/auth-stats-poll/?at=master


> On Oct 19, 2015, at 10:51 AM, Matthew Newton  wrote:
> 
> Hi Charles,
> 
> On Thu, Oct 15, 2015 at 09:08:33PM +, Charles Rumford wrote:
>> I’m currently embarking on a project to determine the number of
>> RADIUS auths per minute each one of my controllers is generating
>> to plan for the capacity I need for my RADIUS servers.
>> 
>> I was curious if anyone has embarked on a similar journey and
>> tried to measure auth rates coming from their controllers?
> 
> We feed our RADIUS logs into elasticsearch, which you can then
> query with kibana to get nice graphs of pretty much whatever you
> want from the logs, which of course includes requests, auth
> success, failures per second/minute, hour etc. We have several
> plots, one of which shows auths per sec for each controller in a
> stacked graph, as well as controller SNMP traps for RADIUS errors
> (so we can see when MSCHAP/Samba/AD is becoming overloaded...!).
> 
> I bundled the basic config for detail files into the FreeRADIUS
> source:
> 
>  
> https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/doc/schemas/logstash
> 
> but that should work with any RADIUS server that writes out detail
> logs.
> 
> The only downside to this approach as it stands is that it stores
> complete logs, so you probably want to rotate them out after a few
> months for privacy reasons, so you then lose the graphs. I've not
> looked yet but it should be easy in logstash to output the stats
> as well to graphite or similar to keep the basic counters around
> for longer. But this "downside" is of course a great benefit when
> you want to search for logs, as the result is nearly
> instantaneous.
> 
> (Also feeding FreeRADIUS auth logs, Wireless Controller TRAPS and
> logs, and DHCP logs all in to the same elasticsearch index means
> you can get an excellent view across all your wireless logs when
> something goes wrong with a client.)
> 
> As you're using FreeRADIUS you can also use the "status" virtual
> server to get stats out - see sites-available/status. You drive it
> by feeding RADIUS packets into the server (e.g. with radclient) on
> the status port and it responds with the data. Examples in the
> server file. They can then be plotted with $GRAPHER_OF_CHOICE.
> 
> Cheers,
> 
> Matthew
> 
> 
> --
> Matthew Newton, Ph.D. 
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Mattson III, Ken V. 
I am pretty sure it is raw ("The number of RADIUS Access-Request packets sent 
to this server. This does not include retransmissions.").

1.3.6.1.4.1.14179.2.5.3.1.8.3 is the retransmissions.
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en=Translate=bsnRadiusAuthClientAccessRetransmissions#oidContent


Output from a snmpbulkwalk on one of our controllers:
.1.3.6.1.4.1.14179.2.5.3.1.7.3 = Counter32: 93421076
.1.3.6.1.4.1.14179.2.5.3.1.7.4 = Counter32: 0
.1.3.6.1.4.1.14179.2.5.3.1.8.3 = Counter32: 31652
.1.3.6.1.4.1.14179.2.5.3.1.8.4 = Counter32: 0


Kenneth V. Mattson III
Director - Network and Data
DoIT
Creighton University
402-280-2743
402-981-1140
 
A password is like a toothbrush:
Choose a good one, change it regularly and don't share it.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Charles Rumford
Sent: Friday, October 16, 2015 12:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

Is that raw requests or complete auths?

> On Oct 16, 2015, at 12:46 PM, Mattson III, Ken V. <kenmatt...@creighton.edu> 
> wrote:
> 
> We poll our controllers directly.
> 
> 
> 
> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.14179.2.5.3.1.7=Translate=SUBMIT=true
> 
> 
> 
> We use the following OIDs:
> 
> 
> 
> 1.3.6.1.4.1.14179.2.5.3.1.7.3&1.3.6.1.4.1.14179.2.5.3.1.8.3
> 
> 
> 
> And graph them here:
> 
> 
> 
> http://mrtg.creighton.edu/WiSM/WiSM_Radius_Statistics.html
> 
> 
> 
> 
> 
> 
> 
> Kenneth V. Mattson III
> Director - Network and Data
> DoIT
> Creighton University
> 402-280-2743
> 402-981-1140
> 
> A password is like a toothbrush:
> Choose a good one, change it regularly and don't share it.
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ciesinski, Nick
> Sent: Friday, October 16, 2015 10:20 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
> 
> 
> 
> This is the access key  AV3Q6TQB  I can’t add you for some reason.  Did you 
> ID change in CCW?
> 
> 
> 
> Nick
> 
> On Oct 16, 2015, at 10:11 AM, Walter Reynolds <wa...@umich.edu> wrote:
> 
> 
> 
> Since you mention in the thread that you have Cisco with Freeradius backend, 
> I thought I would point out that if you are request that show up in total 
> request.
> 
> 
> 
> That being said, our heaviest loaded Freeradius box seems to be hitting max 
> and we have hit as high as 150 auths/sec with an average of 80/sec over a 
> minute window.
> 
> 
> 
> Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram
> 
> 
> 
> A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one 
> minute avg of 60/sec
> 
> 
> 
> 
> 
> 
> Walter Reynolds
> 
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
> 
> 
> 
> On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford <charl...@isc.upenn.edu> 
> wrote:
> 
> I’m currently embarking on a project to determine the number of RADIUS auths 
> per minute each one of my controllers is generating
> 
> I was curious if anyone has embarked on a similar journey and tried to 
> measure auth rates coming from their controllers?
> 
> I have a couple of ideas that I’m up for sharing, but I wanted to see if 
> anyone else has done this.
> 
> Thanks!
> 
> 
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/groups/.
> 
> 
> 
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Charles Rumford 
Is that raw requests or complete auths?

> On Oct 16, 2015, at 12:46 PM, Mattson III, Ken V. <kenmatt...@creighton.edu> 
> wrote:
> 
> We poll our controllers directly.
> 
> 
> 
> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.14179.2.5.3.1.7=Translate=SUBMIT=true
> 
> 
> 
> We use the following OIDs:
> 
> 
> 
> 1.3.6.1.4.1.14179.2.5.3.1.7.3&1.3.6.1.4.1.14179.2.5.3.1.8.3
> 
> 
> 
> And graph them here:
> 
> 
> 
> http://mrtg.creighton.edu/WiSM/WiSM_Radius_Statistics.html
> 
> 
> 
> 
> 
> 
> 
> Kenneth V. Mattson III
> Director - Network and Data
> DoIT
> Creighton University
> 402-280-2743
> 402-981-1140
> 
> A password is like a toothbrush:
> Choose a good one, change it regularly and don't share it.
> 
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ciesinski, Nick
> Sent: Friday, October 16, 2015 10:20 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
> 
> 
> 
> This is the access key  AV3Q6TQB  I can’t add you for some reason.  Did you 
> ID change in CCW?
> 
> 
> 
> Nick
> 
> On Oct 16, 2015, at 10:11 AM, Walter Reynolds <wa...@umich.edu> wrote:
> 
> 
> 
> Since you mention in the thread that you have Cisco with Freeradius backend, 
> I thought I would point out that if you are request that show up in total 
> request.
> 
> 
> 
> That being said, our heaviest loaded Freeradius box seems to be hitting max 
> and we have hit as high as 150 auths/sec with an average of 80/sec over a 
> minute window.
> 
> 
> 
> Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram
> 
> 
> 
> A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one 
> minute avg of 60/sec
> 
> 
> 
> 
> 
> 
> Walter Reynolds
> 
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
> 
> 
> 
> On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford <charl...@isc.upenn.edu> 
> wrote:
> 
> I’m currently embarking on a project to determine the number of RADIUS auths 
> per minute each one of my controllers is generating
> 
> I was curious if anyone has embarked on a similar journey and tried to 
> measure auth rates coming from their controllers?
> 
> I have a couple of ideas that I’m up for sharing, but I wanted to see if 
> anyone else has done this.
> 
> Thanks!
> 
> 
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/groups/.
> 
> 
> 
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found 
> athttp://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Walter Reynolds 
Since you mention in the thread that you have Cisco with Freeradius
backend, I thought I would point out that if you are doing PEAP/MSChapv2
that the bottleneck is winbind/samba and that it is based on auth's per
second, not purely auth request that show up in total request.

That being said, our heaviest loaded Freeradius box seems to be hitting max
and we have hit as high as 150 auths/sec with an average of 80/sec over a
minute window.

Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram

A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one
minute avg of 60/sec



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
wrote:

> I’m currently embarking on a project to determine the number of RADIUS
> auths per minute each one of my controllers is generating to plan for the
> capacity I need for my RADIUS servers.
>
> I was curious if anyone has embarked on a similar journey and tried to
> measure auth rates coming from their controllers?
>
> I have a couple of ideas that I’m up for sharing, but I wanted to see if
> anyone else has done this.
>
> Thanks!
>
> 
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Ciesinski, Nick 
This is the access key  AV3Q6TQB  I can’t add you for some reason.  Did you ID 
change in CCW?

Nick
On Oct 16, 2015, at 10:11 AM, Walter Reynolds 
> wrote:

Since you mention in the thread that you have Cisco with Freeradius backend, I 
thought I would point out that if you are doing PEAP/MSChapv2 that the 
bottleneck is winbind/samba and that it is based on auth's per second, not 
purely auth request that show up in total request.

That being said, our heaviest loaded Freeradius box seems to be hitting max and 
we have hit as high as 150 auths/sec with an average of 80/sec over a minute 
window.

Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram

A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one 
minute avg of 60/sec



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Watters, John 
THANKS for posting this.


-jcw
  [UA Logo]

John Watters   The University of Alabama
Office of Information Technology
205-348-3992

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
Sent: Friday, October 16, 2015 7:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

The script (which was actually created by a co-worker) is run by adding the IP 
address of the WLC and the the SNMP community string.  You will obviously need 
to change the path from  /home/waltr/bin/radiusstats/ to something that works 
for you.  I attached the script and the MIB file

First thing it does is add the date to the output file (output file is the WLC 
IP address appended by .stats)
The join command combines the output of the filtered snmp queries
Next comes the snmptable command.
The tail removes unneeded lines from the query
awk says to give you the columns you need
Second snmptable command
Again tail removes unneeded lines
The sed replaces header with something shorter to better fit on a screen
The column command formats for better readability
Finally we paste the output into the output file.

As far as determining how many Auths overall it is easier to do this on the 
radius server as the cisco stats just keep growing and you would need to run 
this script every minute and then find the difference between the values

With freeradius you can just run something like this to get a second by second 
count

grep "Login OK" /usr/local/var/log/radius/radlog.archive/radius.log-20151016 | 
grep TLS | cut -d " " -f 4 | uniq -c
 12 10:44:59
 16 10:45:00
 18 10:45:01
 21 10:45:02

To get a minute by minute

grep "Login OK" /usr/local/var/log/radius/radlog.archive/radius.log-20151016 | 
grep TLS | cut -d " " -f 4 | cut -d: -f 1,2 | uniq -c
890 10:44
925 10:45




Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Fri, Oct 16, 2015 at 12:46 AM, Watters, John 
<john.watt...@ua.edu<mailto:john.watt...@ua.edu>> wrote:
Please send this stuff out. I would love to use it with our Cisco 8510s and our 
FreeRadius servers.

Thanks.

Sent from my iPhone

> On Oct 15, 2015, at 9:54 PM, Walt Reynolds 
> <wa...@umich.edu<mailto:wa...@umich.edu>> wrote:
>
> We have Cisco controllers and have a script that polls the radius table and 
> then queries the radius stats table to combine the address of the radius 
> servers with their stats.  This is done on a Unix box with snmpwalk and the 
> like.  I will send that out in the morning if you want.
>
> I also did some work and got these same stats into cacti.
>
>
>
> Walter Reynolds
> University of Michigan
>
>> On Oct 15, 2015, at 7:36 PM, Jason Cook 
>> <jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>> wrote:
>>
>> There are some stats on the controllers but we haven't been able to work out 
>> how to poll them via snmp which would be ideal. The other option would be  
>> scripting SSH to run the command and pull the relevant information for 
>> graphing.
>>
>>
>> (Cisco Controller) >show radius auth statistics
>> Authentication Servers:
>>
>> Server Index. 1
>> Server Address... x
>> Msg Round Trip Time.. 0 (msec)
>> First Requests... 0
>> Retry Requests... 0
>> Accept Responses. 0
>> Reject Responses. 0
>> Challenge Responses.. 0
>> Malformed Msgs... 0
>> Bad Authenticator Msgs... 0
>> Pending Requests. 0
>> Timeout Requests. 0
>> Consecutive Drops ... 0
>> Unknowntype Msgs. 0
>> Other Drops.. 0
>>
>>
>> Server Index. 3
>> Server Address... x
>> Msg Round Trip Time.. 66 (msec)
>> First Requests... 2406297
>> Retry Requests... 936
>> Accept Responses...

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-16 Thread Mattson III, Ken V. 
We poll our controllers directly.

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.14179.2.5.3.1.7=Translate=SUBMIT=true

We use the following OIDs:

1.3.6.1.4.1.14179.2.5.3.1.7.3&1.3.6.1.4.1.14179.2.5.3.1.8.3

And graph them here:

http://mrtg.creighton.edu/WiSM/WiSM_Radius_Statistics.html



Kenneth V. Mattson III
Director - Network and Data
DoIT
Creighton University
402-280-2743
402-981-1140

A password is like a toothbrush:
Choose a good one, change it regularly and don't share it.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ciesinski, Nick
Sent: Friday, October 16, 2015 10:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

This is the access key  AV3Q6TQB  I can’t add you for some reason.  Did you ID 
change in CCW?

Nick
On Oct 16, 2015, at 10:11 AM, Walter Reynolds 
<wa...@umich.edu<mailto:wa...@umich.edu>> wrote:

Since you mention in the thread that you have Cisco with Freeradius backend, I 
thought I would point out that if you are doing PEAP/MSChapv2 that the 
bottleneck is winbind/samba and that it is based on auth's per second, not 
purely auth request that show up in total request.

That being said, our heaviest loaded Freeradius box seems to be hitting max and 
we have hit as high as 150 auths/sec with an average of 80/sec over a minute 
window.

Stand alone Two processor Quad core Intel Xeon X5570  @ 2.93GHz with 6Gb ram

A VM single Quad core with 8Gb ram seems to be peaking at 80/sec with a one 
minute avg of 60/sec



Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
<charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Charles Rumford 
We are using FreeRADIUS, but I want to measure independent of the RADIUS server.

--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808

Sent from my phone

On Oct 15, 2015, at 17:12, Jeremy Gibbs 
> wrote:

What are you using for a RADIUS server?


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Walt Reynolds 
We have Cisco controllers and have a script that polls the radius table and 
then queries the radius stats table to combine the address of the radius 
servers with their stats.  This is done on a Unix box with snmpwalk and the 
like.  I will send that out in the morning if you want.

I also did some work and got these same stats into cacti.  



Walter Reynolds
University of Michigan

> On Oct 15, 2015, at 7:36 PM, Jason Cook <jason.c...@adelaide.edu.au> wrote:
> 
> There are some stats on the controllers but we haven't been able to work out 
> how to poll them via snmp which would be ideal. The other option would be  
> scripting SSH to run the command and pull the relevant information for 
> graphing.  
> 
> 
> (Cisco Controller) >show radius auth statistics 
> Authentication Servers:
> 
> Server Index. 1
> Server Address... x
> Msg Round Trip Time.. 0 (msec)
> First Requests... 0
> Retry Requests... 0
> Accept Responses. 0
> Reject Responses. 0
> Challenge Responses.. 0
> Malformed Msgs... 0
> Bad Authenticator Msgs... 0
> Pending Requests. 0
> Timeout Requests. 0
> Consecutive Drops ... 0
> Unknowntype Msgs. 0
> Other Drops.. 0
> 
> 
> Server Index. 3
> Server Address... x
> Msg Round Trip Time.. 66 (msec)
> First Requests... 2406297
> Retry Requests... 936
> Accept Responses. 244593
> Reject Responses. 10527
> Challenge Responses.. 2151076
> Malformed Msgs... 0
> Bad Authenticator Msgs... 0
> Pending Requests. 9
> Timeout Requests. 1037
> Consecutive Drops ... 0
> Unknowntype Msgs. 0
> Other Drops.. 0
> 
> 
> Server Index. 4
> Server Address... x
> Msg Round Trip Time.. 32 (msec)
> First Requests... 1242604
> Retry Requests... 2373
> Accept Responses. 117933
> Reject Responses. 8209
> Challenge Responses.. 1116035
> Malformed Msgs... 0
> Bad Authenticator Msgs... 0
> Pending Requests. 0
> Timeout Requests. 2800
> Consecutive Drops ... 0
> Unknowntype Msgs. 0
> Other Drops.. 0
> 
> 
> Server Index. 5
> Server Address... x
> Msg Round Trip Time.. 14 (msec)
> First Requests... 248129
> Retry Requests... 34
> Accept Responses. 23145
> Reject Responses. 2192
> Challenge Responses.. 222790
> Malformed Msgs... 0
> Bad Authenticator Msgs... 0
> Pending Requests. 0
> Timeout Requests. 36
> Consecutive Drops ... 0
> Unknowntype Msgs. 0
> Other Drops.. 0
> 
> 
> 
> --
> 
> 
> Jason Cook
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
> Sent: Friday, 16 October 2015 9:23 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
> 
> One way is to parse through radius logs (each controller has its unique 
> client name) and generate

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Adam T Ferrero 
Charles,

  We use freeradius and Zenoss.  There is a Zenoss zenpack that will generate 
graphs for you (if you happen to use Zenoss for monitoring): 
http://wiki.zenoss.org/ZenPack:FreeRADIUS.  It leverages the freeradius status 
module (not exactly independent I suppose).

  Adam

[cid:image001.png@01D1077A.D8404430]
[cid:image002.png@01D1077A.D8404430]
[cid:image003.png@01D1077A.D8404430]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Charles Rumford
Sent: Thursday, October 15, 2015 5:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

We are using FreeRADIUS, but I want to measure independent of the RADIUS server.
--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


Sent from my phone

On Oct 15, 2015, at 17:12, Jeremy Gibbs 
<jlgi...@utica.edu<mailto:jlgi...@utica.edu>> wrote:
What are you using for a RADIUS server?


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu<mailto:jlgi...@utica.edu>
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
<charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote:
I'm currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I'm up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Wang, Yu 
One way is to parse through radius logs (each controller has its unique client 
name) and generate stats for auth/sec, auth/min, auth/day. You can also 
generate graphs from scripts. I wrote a few to generate and mail graphic 
reports daily.


Yu Wang
CS, FSU

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeremy Gibbs 
[jlgi...@utica.edu]
Sent: Thursday, October 15, 2015 5:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

Hmm, I am interested to hear how you might accomplish that.  My first instinct 
is to port mirror the controller to a large enough box to handle the traffic 
and have a filter looking for port 1645/1812 (whatever your RADIUS AUTH port 
is) so you only capture that traffic (I would use tcpdump).  Then you might be 
able to do some stats on it if you capture for an hour or so.


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu<mailto:jlgi...@utica.edu>
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:13 PM, Charles Rumford 
<charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote:
We are using FreeRADIUS, but I want to measure independent of the RADIUS server.

--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808

Sent from my phone

On Oct 15, 2015, at 17:12, Jeremy Gibbs 
<jlgi...@utica.edu<mailto:jlgi...@utica.edu>> wrote:

What are you using for a RADIUS server?


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383<tel:%28315%29%20223-2383>
F: (315) 792-3814<tel:%28315%29%20792-3814>
E: jlgi...@utica.edu<mailto:jlgi...@utica.edu>
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
<charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jason Cook 
There are some stats on the controllers but we haven't been able to work out 
how to poll them via snmp which would be ideal. The other option would be  
scripting SSH to run the command and pull the relevant information for 
graphing.  


(Cisco Controller) >show radius auth statistics 
Authentication Servers:

Server Index. 1
Server Address... x
Msg Round Trip Time.. 0 (msec)
First Requests... 0
Retry Requests... 0
Accept Responses. 0
Reject Responses. 0
Challenge Responses.. 0
Malformed Msgs... 0
Bad Authenticator Msgs... 0
Pending Requests. 0
Timeout Requests. 0
Consecutive Drops ... 0
Unknowntype Msgs. 0
Other Drops.. 0


Server Index. 3
Server Address... x
Msg Round Trip Time.. 66 (msec)
First Requests... 2406297
Retry Requests... 936
Accept Responses. 244593
Reject Responses. 10527
Challenge Responses.. 2151076
Malformed Msgs... 0
Bad Authenticator Msgs... 0
Pending Requests. 9
Timeout Requests. 1037
Consecutive Drops ... 0
Unknowntype Msgs. 0
Other Drops.. 0


Server Index. 4
Server Address... x
Msg Round Trip Time.. 32 (msec)
First Requests... 1242604
Retry Requests... 2373
Accept Responses. 117933
Reject Responses. 8209
Challenge Responses.. 1116035
Malformed Msgs... 0
Bad Authenticator Msgs... 0
Pending Requests. 0
Timeout Requests. 2800
Consecutive Drops ... 0
Unknowntype Msgs. 0
Other Drops.. 0


Server Index. 5
Server Address... x
Msg Round Trip Time.. 14 (msec)
First Requests... 248129
Retry Requests... 34
Accept Responses. 23145
Reject Responses. 2192
Challenge Responses.. 222790
Malformed Msgs... 0
Bad Authenticator Msgs... 0
Pending Requests. 0
Timeout Requests. 36
Consecutive Drops ... 0
Unknowntype Msgs. 0
Other Drops.. 0



--


Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph    : +61 8 8313 4800

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
Sent: Friday, 16 October 2015 9:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

One way is to parse through radius logs (each controller has its unique client 
name) and generate stats for auth/sec, auth/min, auth/day. You can also 
generate graphs from scripts. I wrote a few to generate and mail graphic 
reports daily.


Yu Wang
CS, FSU

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeremy Gibbs 
[jlgi...@utica.edu]
Sent: Thursday, October 15, 2015 5:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

Hmm, I am interested to hear how you might accomplish that.  My first instinct 
is to port mirror the controller to a large enough box to handle the traffic 
and have a filter looking for port 1645/1812 (whatever your RADIUS AUTH port 
is) so you only capture that traffic (I would use tcpdump).  Then you might be 
able to do some stats on it if you capture for an hour or so.


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315)

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jeremy Gibbs 
Hmm, I am interested to hear how you might accomplish that.  My first
instinct is to port mirror the controller to a large enough box to handle
the traffic and have a filter looking for port 1645/1812 (whatever your
RADIUS AUTH port is) so you only capture that traffic (I would use
tcpdump).  Then you might be able to do some stats on it if you capture for
an hour or so.




*--Jeremy L. Gibbs*
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:13 PM, Charles Rumford 
wrote:

> We are using FreeRADIUS, but I want to measure independent of the RADIUS
> server.
>
> --
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
>
> Sent from my phone
>
> On Oct 15, 2015, at 17:12, Jeremy Gibbs  > wrote:
>
> What are you using for a RADIUS server?
>
>
>
>
> *-- Jeremy L. Gibbs*
> Sr. Network Engineer
> Utica College IITS
>
> T: (315) 223-2383
> F: (315) 792-3814
> E: jlgi...@utica.edu
> http://www.utica.edu
>
> On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
> wrote:
>
>> I’m currently embarking on a project to determine the number of RADIUS
>> auths per minute each one of my controllers is generating to plan for the
>> capacity I need for my RADIUS servers.
>>
>> I was curious if anyone has embarked on a similar journey and tried to
>> measure auth rates coming from their controllers?
>>
>> I have a couple of ideas that I’m up for sharing, but I wanted to see if
>> anyone else has done this.
>>
>> Thanks!
>>
>> 
>> Charles Rumford
>> Network Engineer/Senior Wireless Engineer
>> ISC Network Operations
>> University of Pennsylvania
>> OpenPGP Key ID: 0xF3D8215A
>> (p) 215-746-2808
>>
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jeremy Gibbs 
What are you using for a RADIUS server?




*--Jeremy L. Gibbs*
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
wrote:

> I’m currently embarking on a project to determine the number of RADIUS
> auths per minute each one of my controllers is generating to plan for the
> capacity I need for my RADIUS servers.
>
> I was curious if anyone has embarked on a similar journey and tried to
> measure auth rates coming from their controllers?
>
> I have a couple of ideas that I’m up for sharing, but I wanted to see if
> anyone else has done this.
>
> Thanks!
>
> 
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
>
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jeremy Gibbs 
I am surprised there are no statistics to be had from the controller.  I am
assuming you have gone down that avenue already.




*--Jeremy L. Gibbs*
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:35 PM, Charles Rumford 
wrote:

> That is my first thought also. I might put two smaller boxes out on select
> controllers and do selective port mirroring from the actual controller to
> reduce the flood of traffic. More thinking and planning needed.
>
> --
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
>
> Sent from my phone
>
> On Oct 15, 2015, at 17:29, Jeremy Gibbs  > wrote:
>
> Hmm, I am interested to hear how you might accomplish that.  My first
> instinct is to port mirror the controller to a large enough box to handle
> the traffic and have a filter looking for port 1645/1812 (whatever your
> RADIUS AUTH port is) so you only capture that traffic (I would use
> tcpdump).  Then you might be able to do some stats on it if you capture for
> an hour or so.
>
>
>
>
> *-- Jeremy L. Gibbs*
> Sr. Network Engineer
> Utica College IITS
>
> T: (315) 223-2383
> F: (315) 792-3814
> E: jlgi...@utica.edu
> http://www.utica.edu
>
> On Thu, Oct 15, 2015 at 5:13 PM, Charles Rumford 
> wrote:
>
>> We are using FreeRADIUS, but I want to measure independent of the RADIUS
>> server.
>>
>> --
>> Charles Rumford
>> Network Engineer/Senior Wireless Engineer
>> ISC Network Operations
>> University of Pennsylvania
>> OpenPGP Key ID: 0xF3D8215A
>> (p) 215-746-2808
>>
>> Sent from my phone
>>
>> On Oct 15, 2015, at 17:12, Jeremy Gibbs > > wrote:
>>
>> What are you using for a RADIUS server?
>>
>>
>>
>>
>> *-- Jeremy L. Gibbs*
>> Sr. Network Engineer
>> Utica College IITS
>>
>> T: (315) 223-2383
>> F: (315) 792-3814
>> E: jlgi...@utica.edu
>> http://www.utica.edu
>>
>> On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
>> wrote:
>>
>>> I’m currently embarking on a project to determine the number of RADIUS
>>> auths per minute each one of my controllers is generating to plan for the
>>> capacity I need for my RADIUS servers.
>>>
>>> I was curious if anyone has embarked on a similar journey and tried to
>>> measure auth rates coming from their controllers?
>>>
>>> I have a couple of ideas that I’m up for sharing, but I wanted to see if
>>> anyone else has done this.
>>>
>>> Thanks!
>>>
>>> 
>>> Charles Rumford
>>> Network Engineer/Senior Wireless Engineer
>>> ISC Network Operations
>>> University of Pennsylvania
>>> OpenPGP Key ID: 0xF3D8215A
>>> (p) 215-746-2808
>>>
>>>
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent
>>> Group discussion list can be found at http://www.educause.edu/groups/.
>>>
>>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Charles Rumford 
That is my first thought also. I might put two smaller boxes out on select 
controllers and do selective port mirroring from the actual controller to 
reduce the flood of traffic. More thinking and planning needed.

--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808

Sent from my phone

On Oct 15, 2015, at 17:29, Jeremy Gibbs 
> wrote:

Hmm, I am interested to hear how you might accomplish that.  My first instinct 
is to port mirror the controller to a large enough box to handle the traffic 
and have a filter looking for port 1645/1812 (whatever your RADIUS AUTH port 
is) so you only capture that traffic (I would use tcpdump).  Then you might be 
able to do some stats on it if you capture for an hour or so.


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:13 PM, Charles Rumford 
> wrote:
We are using FreeRADIUS, but I want to measure independent of the RADIUS server.

--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808

Sent from my phone

On Oct 15, 2015, at 17:12, Jeremy Gibbs 
> wrote:

What are you using for a RADIUS server?


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
> wrote:
I’m currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I’m up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jon Scot Prunckle 
Charles,

We’re running two load-balanced FreeRADIUS instances on RHEL servers.  Our 
Identity and Access Management Team runs those machines.  Short story long, 
last fall our auth rates were getting high enough that the IAM team had to 
convert the log rotation to MySQL because the log files were filling up faster 
than the servers could rotate them.

One of the IAM Specialists wrote Python code to generate a CSV file of total 
auths per minute in one minute intervals by month.  I’m lucky to be the end 
recipient of the pre-munged data, but if you’re interested I could reach out to 
that department and see if they are willing to share their process.

Sincerely,


J. Scot Prunckle
Network Engineer
UITS Network and Operations Services
University of Wisconsin-Milwaukee
Office Mobile: (414) 416-9709
E-mail: prunc...@uwm.edu

> On Oct 15, 2015, at 4:08 PM, Charles Rumford  wrote:
> 
> I’m currently embarking on a project to determine the number of RADIUS auths 
> per minute each one of my controllers is generating to plan for the capacity 
> I need for my RADIUS servers.
> 
> I was curious if anyone has embarked on a similar journey and tried to 
> measure auth rates coming from their controllers?
> 
> I have a couple of ideas that I’m up for sharing, but I wanted to see if 
> anyone else has done this.
> 
> Thanks!
> 
> 
> Charles Rumford
> Network Engineer/Senior Wireless Engineer
> ISC Network Operations
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
> (p) 215-746-2808
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Jason Cook 
Hi Walter.

Yeah I'd certainly like to see how you do the queries, we've only just started 
looking into this and that would certainly save some time

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph    : +61 8 8313 4800

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walt Reynolds
Sent: Friday, 16 October 2015 1:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

We have Cisco controllers and have a script that polls the radius table and 
then queries the radius stats table to combine the address of the radius 
servers with their stats.  This is done on a Unix box with snmpwalk and the 
like.  I will send that out in the morning if you want.

I also did some work and got these same stats into cacti.  



Walter Reynolds
University of Michigan

> On Oct 15, 2015, at 7:36 PM, Jason Cook <jason.c...@adelaide.edu.au> wrote:
> 
> There are some stats on the controllers but we haven't been able to work out 
> how to poll them via snmp which would be ideal. The other option would be  
> scripting SSH to run the command and pull the relevant information for 
> graphing.  
> 
> 
> (Cisco Controller) >show radius auth statistics Authentication 
> Servers:
> 
> Server Index. 1 Server 
> Address... x Msg Round Trip 
> Time.. 0 (msec) First 
> Requests... 0 Retry 
> Requests... 0 Accept 
> Responses. 0 Reject 
> Responses. 0 Challenge 
> Responses.. 0 Malformed 
> Msgs... 0 Bad Authenticator 
> Msgs... 0 Pending 
> Requests. 0 Timeout 
> Requests. 0 Consecutive Drops 
> ... 0 Unknowntype 
> Msgs. 0 Other 
> Drops.. 0
> 
> 
> Server Index. 3 Server 
> Address... x Msg Round Trip 
> Time.. 66 (msec) First 
> Requests... 2406297 Retry 
> Requests... 936 Accept 
> Responses. 244593 Reject 
> Responses. 10527 Challenge 
> Responses.. 2151076 Malformed 
> Msgs... 0 Bad Authenticator 
> Msgs... 0 Pending 
> Requests. 9 Timeout 
> Requests. 1037 Consecutive Drops 
> ... 0 Unknowntype 
> Msgs. 0 Other 
> Drops.. 0
> 
> 
> Server Index. 4 Server 
> Address... x Msg Round Trip 
> Time.. 32 (msec) First 
> Requests... 1242604 Retry 
> Requests... 2373 Accept 
> Responses. 117933 Reject 
> Responses. 8209 Challenge 
> Responses.. 1116035 Malformed 
> Msgs... 0 Bad Authenticator 
> Msgs... 0 Pending 
> Requests. 0 Timeout 
> Requests. 2800 Consecutive Drops 
> ... 0 Unknowntype 
> Msgs. 0 Other 
> Drops.. 0
> 
> 
> Server Index. 5 Server 
> Address... x Msg Round Trip 
> Time.. 14 (msec) First 
> Requests... 248129 Retry 
> Requests... 34 Accept 
> Responses. 23145 Reject 
> Responses. 2192 Challenge 
> Responses.. 222790 Malformed 
> Msgs... 0 Bad Authenticator 
> Msgs... 0 Pending 
> Requests. 0 Timeout 
> Requests. 36 Consecutive Drops 
> ... 0 Unknowntype 
> Msgs. 0 Other 
> Drops